Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore confirmation on use and timeout settings when ssh key added to Windows OpenSSH #4374

Open
fabianschurz opened this issue Feb 25, 2020 · 17 comments

Comments

@fabianschurz
Copy link

Expected Behavior

SSH key is added to agent

Current Behavior

SSH key is not added to agent

Possible Solution

Uncheck require user confirmation when this key is used

Steps to Reproduce

  1. Enable OpenSSH Client for Windows 10
  2. Enable SSH Agent for Keepass database
  3. Check use OpenSSH for Windows instead of Pageant
  4. Add entry for key file
    4.1 Add a private key file (i used an ecdsa key)
    4.2 Enable key adding to agent when database is opened/unlocked
    4.3. Enable key remove from agent when database is closed/locked
    4.4 Enable require user confirmation when this key is used

Context

I switched from Linux to Windows and was very happy to see that there is also Windows support for ssh agent. When i find out it was not working I had to add it myself via shell.

Debug Info

KeePassXC - Version 2.5.3
Revision: f8c962b

Qt 5.13.2
Debugging mode is disabled.

Operating system: Windows 10 (10.0)
CPU architecture: x86_64
Kernel: winnt 10.0.18363

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • SSH Agent
  • KeeShare (signed and unsigned sharing)
  • YubiKey

Cryptographic libraries:
libgcrypt 1.8.5

@droidmonkey
Copy link
Member

So does the error only occur when you require user confirmation?

@fabianschurz
Copy link
Author

Yes

@hifi
Copy link
Member

hifi commented Feb 26, 2020

Looks like an upstream issue to me: PowerShell/Win32-OpenSSH#1056

Does it actually work with -c from command line and prompt you before use if you do that outside KeePassXC?

@fabianschurz
Copy link
Author

Tomorrow i'll try

@hifi
Copy link
Member

hifi commented Apr 4, 2020

Any update on this?

@vvvlc
Copy link

vvvlc commented Apr 17, 2020

I have same problem here is output

PS C:\Users\vv632728\.ssh> ssh-add.exe -c .\id_rsa_
Could not add identity ".\id_rsa_": communication with agent failed
PS C:\Users\vv632728\.ssh> ssh-add.exe  .\id_rsa_
Identity added: .\id_rsa_ (.\id_rsa_)                        

Likely an issue on MS side.

When I uncheck Enable require user confirmation when this key is used then KeypassXC loads key correctly.

@hifi
Copy link
Member

hifi commented May 24, 2020

Closing this as upstream issue, thanks @vvvlc for testing it.

@hifi hifi closed this as completed May 24, 2020
@dancojocaru2000
Copy link

Would it be possible to add a setting to ignore requiring user confirmation when the agent doesn't support it?

It's very inconvenient to disable user confirmation for Linux and macOS because I want to use the keys on Windows as well.

@ppattard
Copy link

ppattard commented Jan 30, 2022

Hello,

As I write these lines, it seems Windows' native OpenSSH is still not supporting the confirm-on-use.
Because of that, and because I use the same KeepassXC database files on a mix of Linux/Windows/MacOS at home & work, I have to accept the lowest level of security on ALL these machines, i.e. no confirmation-on-use. This is a bit annoying :-(
I personally haven't found any other alternative for Windows that work and support this feature.

So accepting this fact and clearly exposing this option works only on Linux/MacOS (and therefore not passing the '-c' flag to ssh-add when on Windows hosts), or accepting proposal from @dancojocaru2000 to add a global setting to ignore confirmation would really make it more usable without compromising security on other machines that correctly support it.

Please consider this request!
Thank you.

@droidmonkey
Copy link
Member

@hifi since we know that this feature doesn't work when using Windows native OpenSSH, let's just ignore the setting when that combo is present.

@droidmonkey droidmonkey reopened this Jan 30, 2022
@droidmonkey droidmonkey changed the title Agent protocol error when adding ssh key on windows Ignore confirmation on use setting when ssh key added to Windows OpenSSH Jan 30, 2022
@hifi
Copy link
Member

hifi commented Jan 30, 2022

@droidmonkey We know it doesn't work right now but when it does we would be gimping our side. Having an option would be slightly odd as well, maybe an option without a GUI that defaults to off on Windows so if it's ever implemented there's a workaround to force enable it?

@droidmonkey
Copy link
Member

Can we attempt to add with the option, and if that fails, fall back to without the option?

@hifi
Copy link
Member

hifi commented Jan 30, 2022

Then we would be silently discarding a security option which doesn't sound too good either. Even if it was non-silent we'd still ignore it without user intervention which is again worse for security.

I know the current behavior is not ideal but I'm conceptually against discarding security options without explicit user action or making it behave differently on different platforms by default (which I suggested in the previous message). Unsuspecting user could be leaving a key loaded to OpenSSH for Windows until they log out completely if they used a timeout for example.

@dancojocaru2000
Copy link

A warning about the behavior could be added on the Windows version of KeePassXC in the settings page where OpenSSH support is enabled?

@tinne26
Copy link

tinne26 commented Jul 28, 2022

Just got bitten by this. An improved error message mentioning that the configuration doesn't work with Windows OpenSSH instead of the vague "Agent protocol error", or a small label next to the option that mentions that windows OpenSSH may not work with that option (shown only when the system is Windows and OpenSSH agent is enabled, and maybe linking to this issue too) would really go a long way to mitigate what can otherwise become a significant source of frustration. Or provide access to the more detailed error (if there's one instead of that vague "protocol error").

I know it's very annoying to have to go after other people's broken stuff like this, and that it should be on Microsoft to fix this... but there are reasonable improvements to be made on KeePassXC too.

Just commenting as a reminder that the issue still exists and in case it motivates anyone to tackle it. Thanks for all the work you people put into this.

@bendem
Copy link

bendem commented Feb 21, 2023

Agreed, just went down this rabbit hole as well, the error message should be augmented with something like "windows doesn't support option "require confirmation" when using the OpenSSH agent, see #4374" when kpxc is configured to use the "native" agent and the user tries to add a key requiring confirmation.

@droidmonkey droidmonkey changed the title Ignore confirmation on use setting when ssh key added to Windows OpenSSH Ignore confirmation on use and timeout settings when ssh key added to Windows OpenSSH Jul 24, 2023
@droidmonkey droidmonkey added this to the v2.8.0 milestone Jul 24, 2023
@droidmonkey
Copy link
Member

If we cannot actually ignore these options (or target it specifically to OpenSSH for Windows) then a better error message hint will suffice. Also pairing this with #9661 would bring back functionality without relying on OpenSSH for Windows to implement it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants